|Publication number||US20050185626 A1|
|Application number||US 11/106,943|
|Publication date||25 Aug 2005|
|Filing date||15 Apr 2005|
|Priority date||2 Aug 2002|
|Also published as||CA2526978A1, CA2526978C, EP1529352A1, EP1529352A4, US6950628, US7493084, WO2004013986A1|
|Publication number||106943, 11106943, US 2005/0185626 A1, US 2005/185626 A1, US 20050185626 A1, US 20050185626A1, US 2005185626 A1, US 2005185626A1, US-A1-20050185626, US-A1-2005185626, US2005/0185626A1, US2005/185626A1, US20050185626 A1, US20050185626A1, US2005185626 A1, US2005185626A1|
|Inventors||Robert Meier, Tim Olson, Victor Griswold, Sheausong Yang, Bhavannarayana Nelakanti|
|Original Assignee||Meier Robert C., Tim Olson, Griswold Victor J., Sheausong Yang, Bhavannarayana Nelakanti|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (19), Referenced by (51), Classifications (16), Legal Events (1)|
|External Links: USPTO, USPTO Assignment, Espacenet|
This application is a continuation of U.S. application Ser. No. 10/212,193 filed on Aug. 2, 2002.
The present invention relates generally to network access and more particularly to a method and system to differentiate network access for different classes of users.
It is becoming increasingly important to differentiate network access for different classes of users, in particular different classes of wireless LAN users. One proposal for providing differentiated network access and services is that Access Points should implement a method wherein a Remote Authentication Dial-In User Server (RADIUS server) explicitly assigns an 802.11 station to a Virtual LAN identifier (VLAN ID) by returning a VLAN ID attribute in the RADIUS record for the station. Such RADIUS based VLAN assignment has limited scope and severely restricts mobility. A large or campus network may contain multiple VLANs that provide equivalent services. For example, a campus network may contain multiple Voice VLANS. If a RADIUS server explicitly assigns an 802.11 Voice over IP (VoIP) phone to a voice VLAN, then the phone is limited to a single voice VLAN, for example the phone may be limited to a VLAN on a single floor in a single building. The only method for segregating users is “VLAN trunking”; therefore, the proposal is generally limited to network areas with a VLAN infrastructure. Thus there exists a need for a method and system wherein multiple parameters can be grouped into a Service Set, which is controlled by a single RADIUS attribute that is not limited to a VLAN ID assignment.
For the purposes of describing the present invention, an “authorized WSTA” is any station that is explicitly authorized to access the network via a security server, and a “guest WSTA” is not explicitly authorized to access the network. A RADIUS server is used as an example security server in describing the present invention, but as those skilled in the art can readily appreciate the concepts of the present invention apply with any security server.
It should be noted that a “Service Set” as defined herein is not the same as an 802.11 Extended Service Set (ESS).
Additional objects, advantages and novel features of the invention will be set forth in part in the description which follows, and in part will become apparent to those skilled in the art upon examination of the following or may be learned by practice of the invention. The objects and advantages of the invention may be realized and attained by means of instrumentalities and combinations particularly pointed out in the appended claims.
In view of the aforementioned needs, an aspect of the present invention contemplates a method for an access point to associate a wireless station to either a home subnet or a VLAN based on a configuration stored locally at the access point. When a wireless station desires to associate with an access point, the wireless station sends a message to the access point, the message containing a service set identifier (SSID), which is an arbitrary “name” for a service set. The access point then associates the wireless station to either a home subnet or a VLAN based on the SSID.
In accordance with an aspect of the present invention, there is disclosed herein an access point, comprising a wireless transceiver. The access point is responsive to an association request, the association request comprising an identifier for the wireless station making the request and a service set identifier indicative of a service set that identifies a type of service for the wireless station, received by the wireless transceiver to determine whether the access point is configured to support the service set. The access point is responsive to accept the association request upon a determination that the access point is configured to support the service set. The access point is responsive to deny the association request upon a determination that the access point is not configured to support the service set.
In accordance with an aspect of the present invention, there is disclosed herein a method for an access point to determine whether to allow a wireless station to associate. The access point receiving an association request, the association request comprising an identifier for the wireless station making the request and a service set identifier indicative of a service set that identifies a type of service for the wireless station. The access point determining whether the access point is configured to support the service set. The access point denying the association request upon a determination that the access point is not configured to support the service set.
In accordance with an aspect of the present invention, there is described herein an access point, comprising means for receiving from a wireless station an association request, the association request comprising an identifier for the wireless station making the request and a service set identifier indicative of a service set that identifies a type of service for the wireless station. The access point further comprises means for determining whether the access point is configured to support the service set. The access point comprises means for accepting the association request responsive to the means for determining whether the access point is configured to support the service set determining that the access point is configured to support the service set. The access point also comprises means for denying the association request responsive to the means for determining whether the access point is configured to support the service set determining that the access point is not configured to support the service set.
Among those benefits and improvements that have been disclosed, other objects and advantages of this invention will become apparent from the following description taken in conjunction with the accompanying drawings. The drawings constitute a part of this specification and include exemplary embodiments of the present invention and illustrate various objects and features thereof.
The drawings illustrate the best mode presently contemplated of carrying out the invention.
The present invention contemplates a method where wireless stations (WSTAs) are partitioned into “Service Sets.” A Service Set Identifier (SSID) identifies each service set. The SSID can be a standard 802.11 SSID.
A Service Set is an arbitrary grouping of one or more network service parameters. Service parameters may be used to differentiate network access for security purposes. For example, “guest” WSTAs that are restricted to secure “guest” subnets may be grouped into a “GUEST” Service Set. Service parameters may also be used to differentiate network services that are not necessarily related to security. For example, employee WSTAs that require a “Proxy Mobile IP” service for seamless campus mobility may be grouped into a “MOBILE-EMPLOYEE” Service Set.
Service Set authorization is accomplished in one of two ways. While the following examples use a RADIUS server, as those skilled in the art can readily appreciate, the authorization may be accomplished with any security server. First a RADIUS server can explicitly authorize a WSTA to join one or more Service Sets. In the first case, the RADIUS server returns a list of allowed SSID's in the RADIUS record for the WSTA. For backward compatibility with legacy 802.11 systems the absence of the SSID list can be interpreted as a list of all SSIDs. Second, a RADIUS server can explicitly assign a WSTA to a Service Set. In that case, the RADIUS server returns an “assigned SSID” in the RADIUS record for the WSTA. Note that the first method enables the WSTA to change its active Service Set without requiring configuration changes to the RADIUS database.
A standard 802.11 WSTA sends an association message, which contains an 802.11 SSID, each time it associates with a parent AP. A WSTA is only associated if it successfully passes any authentication criteria that is defined for its SSID, and the WSTA is authorized to join the Service Set identified by its SSID or is explicitly assigned to a different SSID by the RADIUS server.
Unauthenticated “guest WSTAs” are assigned to a default guest Service Set, which may permit restricted access to the network.
Service set parameter values that determine a WSTA's home subnet are configured locally in wireless access points (APs) so that parameter values have local significance. For example, a campus network may have a voice VLAN in each building. A “VOICE” SSID can be bound to VLAN 10 in building 1 and VLAN 20 in building 2. A WSTA configured with the “VOICE” SSID can access any voice VLAN.
AP's determine current Service Set parameter values from SSID configuration values and WSTA ‘context’ information. For example, a WSTA may belong to a Service Set named “MOBILE” that has “seamless inter-subnet mobility” enabled. A “home subnet” may be configured for the “MOBILE” SSID in each AP. Initially, a “MOBILE” WSTA is bound to the home subnet configured for “MOBILE” in its parent AP. Thereafter, as the WSTA roams, it is seamlessly bound to its original home subnet, regardless of the “home subnet” configured for “MOBILE” in any new parent AP. A context transfer protocol is used to transfer the WSTA's home subnet context to a new parent AP.
The home subnet bindings for a “MOBILE” WSTA can be aged and discarded after the WSTA becomes inactive for some period of time so that the WSTA can be bound to a different, more optimal, home subnet when it becomes active again.
A WSTA's home subnet can be automatically derived by “snooping” the source IP address in IP packets transmitted by the WSTA rather than using an access point service set parameter value to bind the WSTA to a home subnet. In that case, an SSID/home-subnet database is used to determine if the WSTA is authorized to access the home subnet that corresponds to its IP address. The SSID/home-subnet database contains a list of “allowed” subnets for each SSD. The database can be statically configured. Alternatively, APs can automatically determine the subnet address for each subnet that is accessible via one of its configured SSIDS. Note that the subnet address for an SSID may not be the same in different APs. The list of allowed subnets for each SSID is the aggregate of the local SSID/subnet bindings in all APs. (This method is necessary to support WSTA's with a permanet IP address. It is also necessary to re-establish home subnet bindings that have been aged and discarded.)
By using the Service Set method as described herein, a WSTA can be assigned to a specific VLAN ID. However this method is not limited to VLAN ID assignment. Instead, multiple parameters can be grouped into a single Service Set, which may be controlled by a single RADIUS or other security server attribute. Because the Serve Set parameters are instantiated locally in parent AP's, the Service Set parameters can be set to values that are optimal for the local network topology and current WSTA context. For example, either VLAN trunking or Mobile IP tunneling can be used, as is locally appropriate, to restrict guest WSTAs to a secure guest subnet.
Another feature that may be incorporated with the present invention is that a WSTA can change its Service Set without requiring changes to its RADIUS configuration. For example, a WSTA can inhibit seamless mobility, for example when it is running a non-IP application that prohibits inter-subnet mobility, by changing its active SSID to one that does not have Proxy Mobile IP enabled.
The method of the present invention may be implemented by using the standard 802.11 SSID, therefore, no changes are required to existing to WSTAs to obtain the benefits of the present invention.
Referring now to
Referring now to
If the AP 102 does have a matching SSID, then the AP determines at step 508 if the association is allowed for the WSTA 208. This can be done by accessing a security server, such as a RADIUS server. For example, when the RADIUS server is accessed, the RADIUS server returns a list of allowed SSIDs. The association for the WSTA is only allowed if the WSTA's SSID is in the list. This prevents unauthorized access to a service set that is supported in the AP. If the association is not allowed, then at step 510 the AP does not allow the connection.
If the AP 102 does have a matching SSID and the WSTA 208 is allowed to associate, then the AP 102 determines whether to associate the WSTA 208 by Subnet or VLAN. If the association is by subnet, then the AP 102 binds the WSTA 208 to the home subnet 514. At step 516 the AP 102 determines if it can tunnel to the home subnet, if it can than the process is completed as shown in step 518.
If the AP 102 can not tunnel to the home subnet at step 516, then the AP 102 can bind the WSTA 208 to a local subnet as shown in step 520. Then as shown in step 518, the process is completed.
If at step 512 it is determined that the WSTA 208 is to be bound to a VLAN, then the procedure goes to step 522 wherein the WSTA 208 is bound to a VLAN. Then the procedure is completed as shown in step 518.
While in the description of the process of
Although the invention has been shown and described with respect to a certain preferred embodiment, it is obvious that equivalent alterations and modifications will occur to others skilled in the art upon the reading and understanding of this specification. The present invention includes all such equivalent alterations and modifications and is limited only by the scope of the following claims.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US5544308 *||2 Aug 1994||6 Aug 1996||Giordano Automation Corp.||Method for automating the development and execution of diagnostic reasoning software in products and processes|
|US6097960 *||20 Dec 1999||1 Aug 2000||Alcatel Usa Sourcing, L.P.||System and method for application location register routing in a telecommunication network|
|US6181927 *||17 Feb 1998||30 Jan 2001||Nortel Networks Corporation||Sponsored call and cell service|
|US6181935 *||8 May 1997||30 Jan 2001||Software.Com, Inc.||Mobility extended telephone application programming interface and method of use|
|US6266013 *||11 Jan 1999||24 Jul 2001||Trueposition, Inc.||Architecture for a signal collection system of a wireless location system|
|US6332077 *||29 Jul 1999||18 Dec 2001||National Datacom Corporation||Intelligent roaming in AGV application|
|US6466964 *||15 Jun 1999||15 Oct 2002||Cisco Technology, Inc.||Methods and apparatus for providing mobility of a node that does not support mobility|
|US6512754 *||24 Aug 1998||28 Jan 2003||Lucent Technologies Inc.||Point-to-point protocol encapsulation in ethernet frame|
|US6577643 *||24 Aug 1998||10 Jun 2003||Lucent Technologies Inc.||Message and communication system in a network|
|US6587433 *||10 Feb 1999||1 Jul 2003||3Com Corporation||Remote access server for multiple service classes in IP networks|
|US6608832 *||23 Jul 1998||19 Aug 2003||Telefonaktiebolaget Lm Ericsson||Common access between a mobile communications network and an external network with selectable packet-switched and circuit-switched and circuit-switched services|
|US6636502 *||25 Sep 1998||21 Oct 2003||Telefonaktiebolaget Lm Ericsson||GPRS-subscriber selection of multiple internet service providers|
|US6950628 *||2 Aug 2002||27 Sep 2005||Cisco Technology, Inc.||Method for grouping 802.11 stations into authorized service sets to differentiate network access and services|
|US7058071 *||4 Mar 2002||6 Jun 2006||Cisco Systems Wireless Networking (Australia) Pty Limited||Method and apparatus using pipelined execution data sets for processing transmission frame sequences conforming to a wireless network MAC protocol|
|US7181530 *||27 Jul 2001||20 Feb 2007||Cisco Technology, Inc.||Rogue AP detection|
|US7251232 *||12 Sep 2001||31 Jul 2007||Cisco Technology, Inc.||Point-controlled contention arbitration in multiple access wireless LANs|
|US7260638 *||23 Jul 2001||21 Aug 2007||Bluesocket, Inc.||Method and system for enabling seamless roaming in a wireless network|
|US7321784 *||24 Oct 2001||22 Jan 2008||Texas Instruments Incorporated||Method for physically updating configuration information for devices in a wireless network|
|US20010024436 *||18 Dec 2000||27 Sep 2001||Keith Barraclough||Voice-over IP audio-data terminal processor|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US7505443 *||23 Jun 2005||17 Mar 2009||Kapsch Trafficcom Inc.||System and method for broadcasting application-specific information in wireless local area networks|
|US7516487||20 May 2004||7 Apr 2009||Foundry Networks, Inc.||System and method for source IP anti-spoofing security|
|US7523485||31 Jul 2003||21 Apr 2009||Foundry Networks, Inc.||System and method for source IP anti-spoofing security|
|US7542770 *||4 Jun 2004||2 Jun 2009||Symbol Technologies, Inc.||Method for mobile unit location estimate in a wireless LAN|
|US7555774||2 Aug 2004||30 Jun 2009||Cisco Technology, Inc.||Inline intrusion detection using a single physical port|
|US7562389||30 Jul 2004||14 Jul 2009||Cisco Technology, Inc.||Method and system for network security|
|US7562390||31 Jul 2003||14 Jul 2009||Foundry Networks, Inc.||System and method for ARP anti-spoofing security|
|US7706784 *||14 Mar 2008||27 Apr 2010||Accells Technologies (2009), Ltd.||Method and system for providing a product or service using a mobile communication device|
|US7725938||20 Jan 2005||25 May 2010||Cisco Technology, Inc.||Inline intrusion detection|
|US7729314 *||24 Oct 2005||1 Jun 2010||Cisco Technology, Inc.||Method for supporting mobility for dynamic windows clients in a wireless LAN network|
|US7735114||4 Sep 2003||8 Jun 2010||Foundry Networks, Inc.||Multiple tiered network security system, method and apparatus using dynamic user policy assignment|
|US7774833||23 Sep 2003||10 Aug 2010||Foundry Networks, Inc.||System and method for protecting CPU against remote access attacks|
|US7877785||5 Apr 2007||25 Jan 2011||Alcatel Lucent||Method of providing a guest terminal with emergency access to a WLAN|
|US7877786 *||21 Oct 2004||25 Jan 2011||Alcatel-Lucent Usa Inc.||Method, apparatus and network architecture for enforcing security policies using an isolated subnet|
|US8006304||4 Jun 2009||23 Aug 2011||Foundry Networks, Llc||System and method for ARP anti-spoofing security|
|US8068479 *||9 Sep 2003||29 Nov 2011||Broadcom Corporation||System and method for hardware acceleration in a hybrid wired/wireless local area network|
|US8086235 *||6 Dec 2006||27 Dec 2011||Nortel Networks Limited||System and method for restricting mobility in wireless networks|
|US8194580||17 Feb 2009||5 Jun 2012||Kapsch Trafficcom Ag||System and method for broadcasting application-specific information in wireless local area networks|
|US8245300||4 Jun 2009||14 Aug 2012||Foundry Networks Llc||System and method for ARP anti-spoofing security|
|US8249096 *||26 Aug 2010||21 Aug 2012||Foundry Networks, Llc||System, method and apparatus for providing multiple access modes in a data communications network|
|US8489140||9 Mar 2009||16 Jul 2013||Accells Technologies (2009), Ltd.||System and method for providing product or service with cellular telephone|
|US8528071||24 Aug 2004||3 Sep 2013||Foundry Networks, Llc||System and method for flexible authentication in a data communications network|
|US8537716 *||28 Jul 2006||17 Sep 2013||Ca, Inc.||Method and system for synchronizing access points in a wireless network|
|US8599829||17 Nov 2011||3 Dec 2013||Broadcom Corporation||System and method for hardware acceleration in a hybrid wired/wireless local area network|
|US8891502 *||14 Sep 2012||18 Nov 2014||Pantech Co., Ltd.||Apparatus and method for providing security of a network connection|
|US8893256||30 Jun 2010||18 Nov 2014||Brocade Communications Systems, Inc.||System and method for protecting CPU against remote access attacks|
|US8918875||18 Jul 2011||23 Dec 2014||Foundry Networks, Llc||System and method for ARP anti-spoofing security|
|US8925044||30 Mar 2011||30 Dec 2014||British Telecommunications Public Limited Company||System and method for WLAN roaming traffic authentication|
|US8953577 *||30 Jan 2007||10 Feb 2015||Canon Kabushiki Kaisha||Communication apparatus, method and system|
|US8984149 *||6 Mar 2014||17 Mar 2015||Iboss, Inc.||Applying policies to subnets|
|US9009830||19 May 2010||14 Apr 2015||Cisco Technology, Inc.||Inline intrusion detection|
|US20040255154 *||11 Jun 2003||16 Dec 2004||Foundry Networks, Inc.||Multiple tiered network security system, method and apparatus|
|US20040264404 *||4 Jun 2004||30 Dec 2004||Chris Zegelin||Method for mobile unit location estimate in a wireless LAN|
|US20050025125 *||1 Aug 2003||3 Feb 2005||Foundry Networks, Inc.||System, method and apparatus for providing multiple access modes in a data communications network|
|US20050055570 *||4 Sep 2003||10 Mar 2005||Foundry Networks, Inc.||Multiple tiered network security system, method and apparatus using dynamic user policy assignment|
|US20050286456 *||23 Jun 2005||29 Dec 2005||Mcnew Justin P||System and method for broadcasting application-specific information in wireless local area networks|
|US20060023709 *||2 Aug 2004||2 Feb 2006||Hall Michael L||Inline intrusion detection using a single physical port|
|US20060068799 *||27 Sep 2004||30 Mar 2006||T-Mobile, Usa, Inc.||Open-host wireless access system|
|US20060101409 *||21 Oct 2004||11 May 2006||Bemmel Jeroen V||Method, apparatus and network architecture for enforcing security policies using an isolated subnet|
|US20060161983 *||20 Jan 2005||20 Jul 2006||Cothrell Scott A||Inline intrusion detection|
|US20070091842 *||24 Oct 2005||26 Apr 2007||Cisco Technology, Inc.||Method for supporting mobility for dynamic windows clients in a wireless lan network|
|US20080025321 *||28 Jul 2006||31 Jan 2008||Computer Associates Think, Inc.||Method and System for Synchronizing Access Points in a Wireless Network|
|US20090323644 *||30 Jan 2007||31 Dec 2009||Canon Kabushiki Kaisha||Communication apparatus, method and system|
|US20130070744 *||14 Sep 2012||21 Mar 2013||Pantech Co., Ltd.||Apparatus and method for providing security of a network connection|
|US20140071975 *||16 May 2012||13 Mar 2014||Shuichi Karino||Network communication system and terminal|
|US20140226818 *||18 Jun 2012||14 Aug 2014||Yokogawa Electric Corporation||Access point device and system for wireless local area network, and related methods|
|EP1850532A1||29 Apr 2006||31 Oct 2007||Alcatel Lucent||Method of providing a guest terminal with emergency access over a WLAN|
|EP2405678A1 *||30 Mar 2010||11 Jan 2012||British Telecommunications public limited company||System and method for roaming WLAN authentication|
|WO2007124987A1 *||26 Mar 2007||8 Nov 2007||Alcatel Lucent||Method of providing a guest terminal with emergency access to a wlan|
|WO2011121295A1 *||30 Mar 2011||6 Oct 2011||British Telecommunications Public Limited Company||System and method for wlan roaming traffic authentication|
|WO2012068815A1 *||2 Apr 2011||31 May 2012||Zte Corporation||Method for preventing impostors in wireless access network, and access point|
|International Classification||H04L12/28, H04L29/06, H04L12/46, G01S19/25|
|Cooperative Classification||H04W28/18, H04W12/08, H04L63/104, H04W84/12, H04W80/04, H04L12/4641, H04W4/08, H04W72/0426|
|European Classification||H04L63/10C, H04L12/46V, H04W12/08|